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Abstract. Given a Kripke structure M and CTL formula 0, where M does not satisfy 
(j), the problem of Model Repair is to obtain a new model M' such that M' satisfies </). 
Moreover, the changes made to M to derive M' should be minimum with respect to all 
such M' . As in model checking, state explosion can make it virtually impossible to carry 
out model repair on models with infinite or even large state spaces. In this paper, we 
present a framework for model repair that uses abstraction refinement to tackle state 
explosion. Our framework aims to repair Kripke Structure models based on a Kripke 
Modal Transition System abstraction and a 3-valued semantics for CTL. We introduce 
an abstract-model-repair algorithm for which we prove soundness and semi-completeness, 
and we study its complexity class. Moreover, a prototype implementation is presented 
to illustrate the practical utility of abstract-model-repair on an Automatic Door Opener 
system model and a model of the Andrew File System 1 protocol. 


1. Introduction 

Given a model M and temporal-logic formula </>, model checking [16] is the problem of 
determining whether or not M |= (j). When this is not the case, a model checker will typically 
provide a counterexample in the form of an execution path along which 4> is violated. The 
user should then process the counterexample manually to correct M. 

An extended version of the model-checking problem is that of model repair', given a 
model M and temporal-logic formula (f>, where M ^ (j), obtain a new model M', such that 
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[Software and its Engineering]: Software organization and properties—Software functional properties— 
Formal methods—Model checking. 
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M' ^ (j). The problem of Model Repair for Kripke structures and Computation Tree Logic 
(CTL) [28] properties was first introduced in [12]. 

State explosion is a well known limitation of automated formal methods, such as model 
checking and model repair, which impedes their application to systems having large or even 
infinite state spaces. Different techniques have been developed to cope with this problem. 
In the case of model checking, abstraction [m muMi [231 El] is used to create a smaller, 
more abstract version M of the initial concrete model M, and model checking is performed 
on this smaller model. For this technique to work as advertised, it should be the case that if 
M \= (p then M \= <p. 

Motivated by the success of abstraction-based model checking, we present in this paper 
a new framework for Model Repair that uses abstraction refinement to tackle state explosion. 
The resulting Abstract Model Repair (AMR) methodology makes it possible to repair models 
with large state spaces, and to speed-up the repair process through the use of smaller abstract 
models. The major contributions of our work are as follows: 

• We provide an AMR framework that nses Kripke structures (KSs) for the concrete model 
M, Kripke Modal Transition Systems (KMTSs) for the abstract model M, and a 3-valued 
semantics for interpreting CTL over KMTSs [HH]. An iterative refinement of the abstract 
KMTS model takes place whenever the result of the 3-valued CTL model-checking problem 
is undefined. If the refinement process terminates with a KMTS that violates the CTL 
property, this property is also falsified by the concrete KS M. Then, the repair process 
for the refined KMTS is initiated. 

• We strengthen the Model Repair problem by additionally taking into account the following 
minimality criterion (refer to the definition of Model Repair above): the changes made to 
M to derive M' should be minimum with respect to all M' satisfying (p. To handle the 
minimality constraint, we define a metric space over KSs that quantifies the structural 
differences between them. 

• We introduce an Abstract Model Repair algorithm for KMTSs, which takes into account 
the aforementioned minimality criterion. 

• We prove the soundness of the Abstract Model Repair algorithm for the full CTL and 
the completeness for a major fragment of it. Moreover, the algorithm’s complexity is 
analyzed with respect to the abstract KMTS model size, which can be much smaller than 
the concrete KS. 

• We illustrate the utility of our approach through a prototype implementation used to repair 
a flawed Automatic Door Opener system [5] and the Andrew File System 1 protocol. Our 
experimental results show significant improvement in efficiency compared to a concrete 
model repair solution. 

Organization. The rest of this paper is organized as follows. Sections and introduce 
KSs, KMTSs, as well as abstraction and refinement based on a 3-valued semantics for CTL. 
Section defines a metric space for KSs and formally defines the problem of Model Repair. 
Section presents our framework for Abstract Model Repair, while Section introduces 
the abstract-model-repair algorithm for KMTSs and discusses its soundness, completeness 
and complexity properties. Section presents the experimental evaluation of our method 
through its application to the Andrew File System 1 protocol (AFSl). Sectionconsiders 
related work, while Section concludes with a review of the overall approach and pinpoints 
directions for future work. 
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Figure 1. The Automatic Door Opener (ADO) System. 


2. Kripke Modal Transition Systems 


Let AP be a set of atomic propositions. Also, let Lit be the set of literals: 

Lit = AP U {-ip I p G AP} 


Definition 2.1. A Kripke Strueture (KS) is a quadruple M = (S, Sq, R, L), where: 

(1) S' is a finite set of states. 

(2) So C S is the set of initial states. 

(3) i? C S X S is a transition relation that must be total, i.e.. 

Vs E S : 3s' E S : R{s,s'). 

(4) L : S ^ 2^®* is a state labeling function, such that 

Vs E S : Vp E AP : p E L{s) -ip ^ L{s). □ 


The fourth condition in Def. 2.1 ensures that any atomic proposition p E AP has one and 
only one truth value at any state. 


Example. We use the Automatic Door Opener system (ADO) of [S] as a running example 
throughout the paper. The system, given as a KS in Fig requires a three-digit code 
{po,Pi,P 2 ) to open a door, allowing for one and only one wrong digit to be entered at most 
twice. Variable err counts the number of errors, and an alarm is rung if its value exceeds two. 
For the purposes of our paper, we use a simpler version of the ADO system, given as the KS 
M in Fig. 3a, where the set of atomic propositions is AP = {q} and q = {open = true). 


Definition 2.2. A Kripke Modal Transition System (KMTS) is a 5-tuple M = {S,Sq, 
Rmusti Rmayi L), where. 

(1) 5 is a finite set of states. 

(2) So C S is the set of initial states. 
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(3) Rmust ^ S X S and Rmay C 5 X 5 are transition relations such that Rmust ^ Rmay 

(4) L : S ^ 2^** is a state-labeling such that Vs ^ S,\/p ^ AP, s is labeled by at most one 

of p and -ip. n 


A KMTS has two types of transitions: must-transitions, which exhibit necessary behavior, and 
may-transitions, which exhibit possible behavior. Must-transitions are also may-transitions. 
The “at most one” condition in the fourth part of Def. 2.2 makes it possible for the truth 
value of an atomic proposition at a given state to be unknown. This relaxation of truth 
values in conjunction with the existence of may-transitions in a KMTS constitutes a partial 
modeling formalism. 

Verifying a CTL formula (j) over a KMTS may result in an undefined outcome (T). We 
use the 3-valued semantics |38] of a CTL formula at a state s of KMTS M. 


Definition 2.3. [38] Let M = {S, Sq, Rmust, Rmay, L) be a KMTS. The 3-valued semantics 
of a CTL formula (/> at a state s of M, denoted as (M, s) |=^ (j), is defined inductively as 
follows: 

• If (j) = false 

— [{M, s) 1=^ (j)] = false 

• If (f> = true 

— [{M, s) 1=^ <f] = true 

• \f = p where p G AP 

— [{M, s) 1=^ (f] = true, iff p G L(s). 

— [(M, s) 4>] = false, iff -ip G L(s). 

— [{M,s) 1=^ (j)] = T, otherwise. 

• If (f> = m(f>i 

— [{M, s) 1=^ (f] = true, iff [(M, s) |=^ (j)i] = false. 

— [{M, s) 1=^ (j)] = false, iff [(M, s) |=^ (fi] = true. 

— [{M,s) 4>] = T, otherwise. 

• If (f) = (fi y (j)2 

— [{M,s) (j)] = true, iff [{M,s) |=^ fi] = true or [(M,.s) |=^ (/> 2 ] = true. 

— [{M, s) (f)] = false, iff [{M, s) cpi] = false and [(M, s) |=^ (f) 2 ] = false. 

— [{M,s) 1=^ (j)] = T, otherwise. 

• If (j) = (fl A 4>2 

— [{M,s) 1=^ (f>] = true, iff [{M,s) |=^ tpi] = true and [{M,s) (j) 2 ] = true. 

— [{M, s) (j)] = false, iff [{M, s) 4>i] = false or [(M, s) 4 ) 2 ] = false. 

— [{M,s) 4>] = T, otherwise. 

• If 0 = AXcfi 

— [{M, s) 4>] = true, iff for all Sj such that (s, Si) G Rmay, [{M, Si) |=^ cjti] = true. 

— [(M, s) 1=^ (f] = false, iff there exists some Si such that (s, Si) G Rmust and [(M, Si) |=^ 

4 )i] = false. 

— [{M,s) 1=^ (j)] = T, otherwise. 

• If 4) = EXfi 

— [{M, s) 1=^ fi] = true, iff there exists Si such that (s, Si) G Rmust and [(M, Si) |=^ (fi] = 
true. 

— [{M, s) 1=^ (/>] = false, iff for all Si such that {s, Si) G Rmay, [{M, Si) |=^ 4>i] = false. 

— [{M,s) (j)] = T, otherwise. 
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• If 0 = AGcj)! 

— [(M, s) 1=^ (p] = true, iff for all may-paths TTmay = [S) si, S 2 , ■■■] and for all s* G TTmay h 
holds that [(M, Si) (f>i] = true. 

— [(M, s) 1=^ (p] = false, iff there exists some must-path iTmust = [s, si, § 2 , ••.], such that 
for some Sj G n^ust, [{M, Si) |=^ cpi] = false. 

— [{M,s) 1=^ (p] = _L, otherwise. 

• If 0 = EG(pi 

— [(M, s) (p] = true, iff there exists some must-path TTmust = [s, 51,52, •••], such that 
for all Si G Timust, [{M,Si) |=^ 4>i] = true. 

— [{M, s) 1=^ (p] = false, iff for all may-paths TTmay = [ 5 , si, S 2 , •••], there is some s* G TTmay 
such that [{M, 5*) |=^ cpi] = false. 

— [{M,s) 1=^ (p] = _L, otherwise. 

• \i (p = AF(pi 

— [{ M , s ) 1=^ (p] = true, iff for all may-paths TTmay = [ 5 , 5i, § 2 , •••], there is a Sj G TTmay 
such that [{ M , Si ) |=^ cpi] = true. 

— [{M, s) 1=^ (p] = false, iff there exists some must-path TTmust = [ 5 , si, .§ 2 ,...], such that 
for all Si G TTmust, [{M, Si) |=^ (pi] = false. 

— [{M,s) 1=^ (p] = _L, otherwise. 

• If 0 = EFcpi 

— [(M, s) (p] = true, iff there exists some must-path TTmust = [5,si,.S2, •••], such that 
there is some Sj G TTmust for which [(M, sf) |=^ cpi] = true. 

— [{M, s) 1=^ (p] = false, iff for all may-paths TTmay = [ 5 , 5i, S 2 , •••] and for all s* G TTmay, 
[{ M , Si ) 1=^ (pi] = false. 

— [{M,s) 1=^ (p] = _L, otherwise. 

• li (p = Al{^i U <p2) 

— [{M, s) 1=^ (p] = true, iff for all may-paths TTmay = [s, 5i, § 2 ,...], there is Si G TTmay such 
that [(M, Si) (P 2 ] = true and \fj < i : [{M, sj) |=^ (pi] = true. 

— [{M, 5 ) 1=^ (p] = false, iff there exists some must-path TTmust = [ 5 , 5i, S 2 , •••], such that 

i. for all 0 < A: < \TTmust\ '■ 

(Vj < k : [(M, Sj) 1=3 (pi] 7 ^ false) => ([(M, Sk) |=3 (P 2 ] = false) 

ii. (for all 0 < A: < \TTmust\ ■ [{M, Sk) 1=^ (P 2 ] / false) ^ \TTmust\ = 00 

— [{M,s) 1=3 (p] = _L, otherwise. 

• U (P = E{(PiU(P2) 

— [(M, s) 1=3 (p] = true, iff there exists some must-path TTmust = [ 5 , 5i, S 2 , •••] such that 

there is a Sj G TTmust with [(M, s*) |=3 ( p2 ] = true and for all j < i, [{ M , Sj ) ^3 = 

true. 

— {{M, 5 ) 1=3 (p] = false, iff for all may-paths TTmay = [s, 5i, § 2 , ...] 

i. for all 0 < A: < \TTmay\ ■ 

(Vj < k : [{M, Sj) 1=3 (pi] / false) => ([(M, Sk) |=3 (P 2 ] = false) 

ii. (for all 0 < A: < \TTmay\ ■ [{M, Sk) |=3 (P 2 ] / false) ^ \TTmay\ = 00 

— [{M,s) 1=3 (p] = _L, otherwise. □ 

From the 3-valued CTL semantics, it follows that must-transitions are used to check the 

truth of existential CTL properties, while may-transitions are used to check the truth of 

universal CTL properties. This works inversely for checking the refutation of CTL properties. 

In what follows, we use |= instead of |=3 in order to refer to the 3-valued satisfaction relation. 
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q;(s) 



Figure 2 . Abstraction and Concretization. 


3 . Abstraction and Refinement for 3 - Valued CTL 


3 . 1 . Abstraction. Abstraction is a state-space reduction technique that produces a smaller 
abstract model from an initial concrete model, so that the result of model checking a property 
(j) in the abstract model is preserved in the concrete model. This can be achieved if the 
abstract model is built with certain requirements nasi]. 

Definition 3.1. Given a KS M = (S, Sq, R, L) and a pair of total functions {a : S ^ S,'y : 
S —)■ 2'^) such that 

Vs G S' : Vs G S : (q:(s) = s s G 7(s)) 
the KMTS a{M) = {S, Sq, Rmust, Rmay, L) is defined as follows: 

( 1 ) s G So iff 3 s G 7(s) such that s G So 

( 2 ) lit G L(s) only if Vs G 7(5) : lit G L(s) 

( 3 ) Rmust = {(si, S2) I Vsi G 7(s'i) : 3s2 G 7(s'2) : (si, S2) G R} 

( 4 ) Rmay = {(si, S2) | 3 si G 7(s''i) : 3 s2 G 7(s 2) : (si, S2) £ R} □ 


For a given KS M and a pair of abstraction and concretization functions a and 7, 
Def. 3.1 introduces the KMTS a{M) defined over the set S of abstract states. In our AMR 
framework, we view M as the concrete model and the KMTS a{M) as the abstract model. 
Any two concrete states si and S2 of M are abstracted by a to a state s of a{M) if and only 
if si, S2 are elements of the set 7(5) (see Fig[^. A state of a{M) is initial if and only if at 
least one of its concrete states is initial as well. An atomic proposition in an abstract state is 
true (respectively, false), only if it is also true (respectively, false) in all of its concrete states. 
This means that the value of an atomic proposition may be unknown at a state of a{M). A 
must-transition from s'l to 52 of a{M) exists, if and only if there are transitions from all 
states of 7(s'i) to at least one state of 7(^2) (V 3 — condition). Respectively, a may-transition 
from s'l to S2 of a{M) exists, if and only if there is at least one transition from some state 
of 7(s'i) to some state of 7(^2) (33 — condition). 


Definition 3.2. Given a pair of total functions (a : S' —)• .§, 7 : 5 —)• 2"^) such that 

Vs G S' : Vs G S : (q:(s) = s 47 s G 7(s)) 

and a KMTS M = {S, Sq, R^ust, Rmay, L), the set of KSs 7 (M) = {M | M = (5, Sq, R, L)} 
is defined such that for all M G 'jiM) the following conditions hold: 

(1) s G 5o iff a{s) G So 

(2) lit G L(s) if lit G L{a{s)) 
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( 3 ) (si, S2) G i? iff 

• 3 s'i G 7(a(si)) : 34 G 7(0(52)) : (a(si), 0(52)) G Rmay and, 

• Vs'i G 7(0(51)) : 34 G 7 (a( 52 )) : (0(54,0(52)) G Rmust □ 


introduces a set 7 (M) of concrete KSs. A state 5 of a KS M G 'y{M) is initial if its abstract 
state 0 ( 5 ) is also initial. An atomic proposition in a concrete state 5 is true (respectively, 
false) if it is also true (respectively, false) in its abstract state 0 ( 5 ). A transition from a 
concrete state 5i to another concrete state 52 exists, if and only if 

• there are concrete states 5 '^ G 7 ( 0 ( 51 )) and 52 G 7 ( 0 ( 52 )), where ( 0 ( 51 ), 0 ( 52 )) G Rmay, 
and 

• there is at least one concrete state 52 G 7 ( 0 ( 52 )) such that for all 5^ G 7 ( 0 ( 51 )) it holds 
that ( 0 ( 54 , 0 ( 52 )) G Rmust- 


For a given KMTS M and a pair of abstraction and concretization functions o and 7 , Def. 


3.2 


Abstract Interpretation. A pair of abstraction and concretization functions can be defined 
within an Abstract Interpretation |20l I21j framework. Abstract interpretation is a theory 
for a set of abstraction techniques, for which important properties for the model checking 
problem have been proved [23l [2lj . 

Definition 3.3. (231 ES] Let M = (S', Sq, R, L) be a concrete KS and M = (S, Sq, Rmust, 
Rmay,L) be an abstract KMTS. A relation H C S x S for M and M is called a mixed 
simulation, when H{s,s) implies: 

• L{s) C L{s) 

• if r = (s, 5 ') G R, then there is exists s' G S such that rmay = (s, s') G Rmay and 
(s', s') G H. 

• if ^must = (5,5') G Rmust, then there exists s' G S such that r = (s, s') G R and 

(5',s')GLr. □ 

The abstraction function a of Def. [Q is a mixed simulation for the KS M and its abstract 
KMTS a(M). 


Theorem 3.4. [32] Let H C S x S be a mixed simulation from a KS M = (S, Sq, R, L) to a 
KMTS M = (S, So, Rmust, Rmay, L)■ Then, for every CTL formula f and every (s, s) G H 
it holds that 


[(M, 4 1= 4 4 T ^ [(M, 4 1= 4 = [(M, 4 4 4 


Theorem 3.4 ensures that if a CTL formula 4> has a definite truth value (i.e., true or false) 
in the abstract KMTS, then it has the same truth value in the concrete KS. When we get T 
from the 3-valued model checking of a CTL formula cj), the result of model checking property 
cj) on the corresponding KS can be either true or false. 


Example. An abstract KMTS M is presented in Fig. 
are grouped together, as are all states labeled by -ig. 


3a 


where all the states labeled by q 


3.2. Refinement. When the outcome of verifying a CTL formula cf on an abstract model 
using the 3-valued semantics is T, then a refinement step is needed to acquire a more 
precise abstract model. In the literature, there are refinement approaches for the 2-valued 
CTL semantics HZKHESI, as well as a number of techniques for the 3-valued CTL model 





G. CHATZIELEFTHERIOU, B. BONAKDARPOUR, P. KATSAROS, AND S. A. SMOLKA 





-► must-transition 

- - ► may-transition 


(b) The KS and refined KMTS. 


Figure 3. The KS and KMTSs for the ADO system. 


checking [311 [Ml 1171135]. The rehnement technique that we adopt is an automated two-step 
process based on iniiMi: 

(1) Identify a failure state in a{M) using the algorithms in jl7l I46j : the cause of failure for 
a state s stems from an atomic proposition having an undehned value in s, or from an 
outgoing may-transition from s. 
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(2) Produce the abstract KMTS ajiefinediM), where anejined is a new abstraction function 
as in Def. 13.11 such that the identified failure state is refined into two states. If the cause 


of failure is an undefined value of an atomic proposition in s, then s is split into states 
si and S 2 , such that the atomic proposition is true in si and false in S 2 - Otherwise, if 
the cause of failure is an outgoing may-transition from s, then s is split into states si 
and S 2 , such that there is an outgoing must-transition from si and no outgoing may- or 
must-transition from S 2 - 


The described refinement technique does not necessarily converge to an abstract KMTS with 
a definite model checking result. A promising approach in order to overcome this restriction 
is by using a different type of abstract model, as in |1B], where the authors propose the use 
of Generalized KMTSs, which ensure monotonicity of the refinement process. 


Example. Consider the case where the ADO system requires a mechanism for opening 
the door from any state with a direct action. This could be an action done by an expert if 
an immediate opening of the door is required. This property can be expressed in CTL as 
(/> = AGEXq. Observe that in a{M) of Fig. |3a[ the absence of a must-transition from sq 
to si, where [(a(M),si) |= q] = true, in conjunction with the existence of a may-transition 
from So to si, i.e. to a state where [(a(M),si) |= q] = true, results in an undefined model¬ 
checking outcome for [{a{M),so) \= cj)]. Notice that state sq is the failure state, and the 
may-transition from sq to si is the cause of the failure. Consequently, sq is refined into two 
states, sqi and .§ 02 ; such that the former has no transition to §i and the latter has an outgoing 
must-transition to §i. Thus, the may-transition which caused the undefined outcome is 
eliminated and for the refined KMTS ajiefinediM) it holds that [aRefined{M), §i) !=</>]= false. 


The initial KS and the refined KMTS aRefinediM) are shown in Fig. 3b 


4. The Model Repair Problem 

In this section, we formulate the problem of Model Repair. A metric space over Kripke 
structures is defined to quantify their structural differences. This allows us taking into 
account the minimality of changes criterion in Model Repair. 

Let TT be a function on the set of all functions f : X ^ Y such that: 

7r(/) = {{x,f{x)) \ x eX} 

A restriction operator (denoted by () for the domain of function / is defined such that for 
X\ C X 

f \xi= {{x,f{x)) I X G Xi} 

By 5^, we denote the complement of a set S. 

Definition 4.1. For any two M = {S, Sq, R, L) and M' = {S', Sq, R', L') in the set Km of 
all KSs, where 

S' = {S A Sj]\[) — SouT for some Sjri C S'^ , SpuT ^ S, 

R' = {R U Rin) ~ Rout for some Rjn C R'^, Rout Li R, 

L' = S' ^ 2^^^, 

the distance function d over Km is defined as follows: 

diM.M') = ISAS'I + + KU tsny)A,(£'|sny)l 

with A AB representing the symmetric difference {A — B)[J {B — A). O 
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For any two KSs defined over the same set of atomic propositions AP, function d counts the 
number of differences [S' A S'| in the state spaces, the number of differences A in their 
transition relation and the number of common states with altered labeling. 

Proposition 4.2. The ordered pair {KM,d) is a metric space. 

Proof. We use the fact that the cardinality of the symmetric difference between any two 
sets is a distance metric. It holds that: 

(1) |SAS'| > 0, |iiAi?'| > 0 and |7r(L |'5'n5/)A7r(L' ['s'nS'')l ^ 0 (non-negativity) 

(2) jsAS'l = 0 iff S = S', \RAR'\ = 0 iff i? = i?' and |7r(L ( 5 nS')l^k(i' (snsOI = 0 iff 
tt{L ['s'nS') = (snS') (identity of indiscernibles) 

(3) ISAS'I = |S'AS|, \RAR'\ = \R'AR\ and |7r(L (snS')A7r(L' (gnsOI = 

K(F' f5n5')^7r(L ( 505 ') I (symmetry) 

(4) |S'AS"| < |S'AS| + |SAS"|, \R'AR"\ < \R'AR\ + \RAR"\, 

|'5/n5")^'^(-^^1s'ns")l < \s'ns)^'^{L fs/ns)! + 

K(F ['5ns")^^(-^'1sns")l 
(triangle inequality) 

We will prove that d is a metric on Km- Suppose M, M', M" G Km 

• It easily follows from (1) that d{M,M') > 0 (non-negativity) 

• From (2), d(M, M') = 0 iff M = M' (identity of indiscernibles) 

• Adding the equations in (3), results in d{M,M') = d{M', M) (symmetry) 

• If we add the inequalities in (4), then we get d{M', M") < d{M', M) + d{M, M") (triangle 
inequality) 

So, the proposition is true. □ 

Definition 4.3. For any two M = (S, So, Rmust, Rmay, L) and M' = (S', Sq^, R'must^ R'may^ ^') 
in the set of all KMTSs, where 

S' = (S U S/ 7 v) ~ Squt for some S/w C S'^, SpuT ^ S, 

^must = {Rmust ^ Rin) “ Rqut for some Rim C Rmusti Rout ^ Rmust, 

Rmay ~ (Rmay U R'jm) ~ RqUT SOme R'jj^ C R^^y, Rqjjj, C Rmay, 

i' = S' ^ 2 ^^^, 

the distance function d over Kj^ is defined as follows: 

d{M, M ) = |S A S I -|- \Rmust ^ Rmustl + I {Rmay ~ Rmust) A {R^^y ~ Rmust)\~^ 

\'^{^ {sr\S') ^'^{^' (sns’')! 

2 

with AAB representing the symmetric difference (A — B)L) {B — A). 

We note that d counts the differences between and Rmay, and those between R'^ust 

and Rmust separately, while avoiding to count the differences in the latter case twice (we 
remind that must-transitions are also included in Rmay)- 

Proposition 4.4. The ordered pair {Kj^,d) is a metric space. 

Proof. The proof is done in the same way as in Prop. |4.2[ 


□ 



ABSTRACT MODEL REPAIR 


11 


Failure 



Figure 4. Abstract Model Repair Framework. 

Definition 4.5. Given a KS M and a CTL formula (p where M cp, the Model Repair 
problem is to hnd a KS M', such that M' ^ cp and d{M, M') is minimum with respect to 
all such M'. 

The Model Repair problem aims at modifying a KS such that the resulting KS satisfies 
a CTL formula that was violated before. The distance function d of Def. 14.11 features all 
the attractive properties of a distance metric. Given that no quantitative interpretation 
exists for predicates and logical operators in CTL, d can be used in a model repair solution 
towards selecting minimum changes to the modified KS. 


5. The Abstract Model Repair Framework 

Our AMR framework integrates 3-valued model checking, model refinement, and a new 
algorithm for selecting the repair operations applied to the abstract model. The goal of this 
algorithm is to apply the repair operations in a way, such that the number of structural 
changes to the corresponding concrete model is minimized. The algorithm works based on a 
partial order relation over a set of basic repair operations for KMTSs. This section describes 
the steps involved in our AMR framework, the basic repair operations, and the algorithm. 


5.1. The Abstract Model Repair Process. The process steps shown in Fig. rely on 
the KMTS abstraction of Def. |3.1[ These are the following: 


Step 1.: Given a KS M, a state s of M, and a CTL property (p, let us call M the KMTS 
obtained as in Def. 13.11 

Step 2 .: For state s = a(s) of M, we check whether (M, s) \= (phy 3-valued model checking. 
Case 1.: If the result is true, then, according to Theorem 3.4, {M,s) |= cp and there is 
no need to repair M. 
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Case 2.: If the result is undefined, then a refinement of M takes place, and: 

Case 2.1.: If an Muefined is found, the control is transferred to Step 2. 

Case 2.2.: If a refined KMTS cannot be retrieved, the repair process terminates 
with a failure. 

Case 3.: If the result is false, then, from Theorem 3.4, (M, s) ^ (j) and the repair process 
is enacted; the control is transferred to Step 3. 

Step 3 .: The AbstractRepair algorithm is called for the abstract KMTS {MRefined or M if 
no refinement has occurred), the state s and the property fi. 

Case 1.: AbstractRepair returns an M' for which {M',s) |= cf). 

Case 2.: AbstractRepair fails to find an M' for which the property holds true. 

Step 4.: If AbstractRepair returns an M', then the process ends with selecting the subset 
of KSs from 7 (M'), with elements whose distance d from the KS M is minimum with 
respect to all the KSs in 7 (M'). 


5.2. Basic Repair Operations. We decompose the KMTS repair process into seven basic 
repair operations: 

AddMust: Adding a must-transition 
AddMay: Adding a may-transition 
RemoveMust: Removing a must-transition 
RemoveMay: Removing a may-transition 
ChangeLabel: Changing the labeling of a KMTS state 
AddState: Adding a new KMTS state 
RemoveState: Removing a disconnected KMTS state 


5.2.1. Adding a must-transition. 


Definition 5.1 (AddMust). For a given KMTS M = (S, Sq, Rmust, Rmay, L) and rn = 
(si,'S 2 ) ^ Rmust, AddMust{M ,fn) is the KMTS M' = {S, So, R'^^iy, such that 


Ri 


must 


— Rmust U {^n} R^yiay — Rmay U {^n}* 


□ 


Since Rmust C Rmay, ^n must also be added to Rmay, resulting in a new may-transition 
if f’n ^ Rmay Fig. 0 shows how the basic repair operation AddMust modifies a given KMTS. 
The newly added transitions are in bold. 


Proposition 5.2. For any M' = AddMust{M,fn), it holds that d{M,M') = 1. 


□ 


Definition 5.3. Let M = (S, Sq, R, L) be a K S an d let a{M) = {S, Sq, Rmust, Rmay, L) be 

Also, let M' = AddMust{a{M),fn) for 


3.1 


the abstract KMTS derived from M as in Def. 
some fn = (si) S2) Rmust- The set Kmin C 7 (M') with all KSs, whose distance d from M 
is minimized is: 

K,nin = {M' \M' = {S,So,RURn,L)} (5.1) 

where Rn is given for one S 2 G 7 (s 2 ) as follows: 

Rn= U {{si,S2) \$s € -f{s2) : isi,s) € R} n 

sie7(si) 
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(a) May-transition exists 
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Figure 5. AddMust: Adding a new mnst-transition 


Def. 5.3 implies that when the Abstract Repair algorithm applies AddMust on the abstract 
KMTS M, then a set of KSs is retrieved from the concretization of M' . The same holds for 
all other basic repair operations and consequently, when AbstractRepair finds a repaired 
KMTS, one or more KSs can be obtained for which property (p holds. 

Proposition 5.4. For all M' G Kmin, it holds that 1 < d{M,M') < |5|. 


Proof. Recall that 

d{M,M') = |,SA5'| + \RAR'\ + \snS')^T^{L rgnsOI 

Since \SAS'\ = 0 and |7r(L \snS')^TT{L' ^snS')! = 0, d{M,M') = \RAR'\ = \R-R'\ + \R' - 
= 0 -|- \Rn\. Since \Rn\ > 1 and |Rn| < l-SI, it is proved that 1 < d{M,M') < IjSI. □ 


From Prop. 5.4 we conclude that a lower and upper bound exists for the distance 


between M and any M' G K„ 


5.2.2. Adding a may-transition. 

Definition 5.5 (AddMay). For a given KMTS M = {§, Sq, Rmust, Rmay, L) and rn = 
(si,.§ 2 ) ^ Rmayi AddMay{M,fn) is the KMTS M' = (5, .So, -^) such that 

R'must = Rmust U {f„} if |5i| = 1 Or R'^ust = Rmust if |*S'i| > 1 for Si = {si I Si G 7(si)} 
and RrfYidy — Rmay U {r^}. EH 

From Def. |5.5| we conclude that there are two different cases in adding a new may- 
transition fn] adding also a must-transition or not. In fact, fn is also a must-transition if 
and only if the set of the corresponding concrete states of si is a singleton. Fig. [^displays 
the two different cases of applying basic repair operation AddMay to a KMTS. 

Proposition 5.6. For any M' = AddMay{M,fn), it holds that d{M,M') = 1. □ 
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ft 
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(a) Only may-transition is added (b) Must-transition is also added 

Figure 6 . AddMay: Adding a new must-transition 


Definition 5.7. Let M = {S, Sq, R, L) be a KS an d let a{M) = {§, Sq, Rmust, Rmay, L) be 

Also, let M' = AddMay{a{M),fn) for 


3.1 


the abstract KMTS derived from M as in Def. 
some Tn = (si, S 2 ) ^ Rmay The set Kjnin ^ with all KSs, whose structural distance 

d from M is minimized is given by: 

Kmin = {M' I M' = (5, 5o, R U {rn},L)} (5.2) 

where E and Rn = {r„ = (si, S 2 ) \ si E 7 (si), S 2 E 7 ( 52 ) and R]- □ 


Proposition 5.8. For all M' E Kmin, it holds that d{M,M') = 1 . 

Proof. d{M,M') = |5A5'| + \RAR'\ + l^(^rsns')A^(Tr5ns')l _ Because \SAS'\ = 0 and 
|7r(L r 5 n 5 ')Avr(L' \sns')\ = 0, = \R- R'\ + \K - R\ = 0 + |{r„}| = 1. 

So, we prove that d{M, M') = 1. □ 


5.2.3. Removing a must-transition. 

Definition 5.9 (RemoveMust). For a given KMTS M = {S,So,Rmust,Rmay,L) and r^, = 
(si, S 2 ) E Rmust, RemoveMust{M, fm) is the KMTS M' = (5, ^ 0 , R'must, ^'may, T) such that 
^niust ~ Rmust {^m} and Rmay ~ Rmay {'f'm } if |5l| = 1 or R'may = Rmay if I-Sll > 1 for 
5*1 = {si I Si E 7(«i)}- □ 

Removing a must-transition fm, in some special and maybe rare cases, could also result 
in the deletion of the may-transition fm as well. In fact, this occurs if transitions to the 
concrete states of S 2 exist only from one concrete state of the corresponding ones of si. 
These two cases for function RemoveMust are presented graphically in Fig. 

Proposition 5.10. For any M' = RemoveMust{M, fm), it holds that d{M,M') = 1. O 






























ABSTRACT MODEL REPAIR 


15 


M 

:(0r0| 

M’ 

i(0HO: 

:0f4Ol 

:0HO: 

i04Oi 

;0HO: 


M 


M' 


0H 


O 

0 


o 




o 

o 


o 


p — g p [ -■ 


-> q 


M M' 

(a) May-transition is not removed 


I ^ 

M' M' 

(b) May-transition is also removed 


Figure 7. RemoveMust: Removing an existing must-transition 

Definition 5.11. Let M = (5, S'o, R, L) be a KS a nd let a{M) = [S, Sq, Rmust, Rmay, L) be 

Also, let M' = RemoveMust{a{M),fm) 


3.1 


the abstract KMTS derived from M as in Def. 
for some = (■51,52) £ Rmust- The set Kmin ^ l{^') with all KSs, whose structural 
distance d from M is minimized is given by: 

Kmin = {M' I M' = (5, So, R - {Rm}, L)} (5.3) 

where Rm is given for one si G 7(si) as follows: 

Rm = 1^ {( 51 , 52 ) n 

S2&'y(s2) 

Proposition 5.12. For M', it holds that 1 < d{M,M') < |S|. 

Proof. d{M,M') = |5A5'| + |RAR'| + l^(^^sns')A^R'rsns')l ^ Because \SAS'\ = 0 and 
k(L |'5nS')^^(T' tsn5')l = 0, d{M, M') = |iiAi?'| = \R — R'\ + \R' — R\ = \Rm\ + 0 = \Rm\- 
It holds that \Rm\ > 1 and \Rm\ < |<S'|. So, we proved that 1 < d{M,M') < [S'!. □ 


5.2.4. Removing a may-transition. 

Definition 5.13 (RemoveMay). For a given KMTS M = {§, Sq, Rmust, Rmay, L) and 
Tm = (51,52) G Rmay, RemOVeMay{M, hm) is the KMTS M' = {§, Sq, R'must^ R'may^ T) such 
that Rmust — Rmust {Pm} and Rmay — Rmay {Pm}‘ 


□ 


Def. 5.13 ensures that removing a may-transition implies the removal of a must- 


transition, if hm is also a must-transition. Otherwise, there are not any changes in the set of 
must-transitions Rmust- Fig. shows how function RemoveMay works in both cases. 

Proposition 5.14. For any M' = RemoveMay{M,rm), it holds that d{M,M') = 1. □ 
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Figure 8. RemoveMay: Removing an existing may-transition 


Definition 5.15. Let M = {S, Sq, R, L) be a KS and let a{M) = (S, Sq, Rmust, Rmay, L) be 
the abstract KMTS derived from M as in Def. 3.1 Also, let M' = RemoveMay{a{M),fm) 
for some fm = (si,'S 2 ) £ Rmay with si,S 2 £ S. The KS M' G 7 (M'), whose structural 
distance d from M is minimized is given by: 

M ' = {S,So,R- Rm,L} (5.4) 

where Rm = {rm = (si, S2) | si G 7(si), S2 G 7 ( 52 ) and G R}. □ 

Proposition 5.16. For M', it holds that 1 < d{M,M') < IS*!^. 


Proof. d{M,M') = |5A5'| + |RAR'| + l^(^rgns')A^Rdsn 5 ')l _ Because \SAS'\ = 0 and 
|7r(L (snsOI = 0, d(M,M') = |RAR'| = \R - R>\ + \R> - R\ = Q + \R^\ = \R^\. 

It holds that \Rm\ > 1 and \Rm\ < |5'p. So, we proved that 1 < d{M,M') < |5|^. □ 


5.2.5. Changing the labeling of a KMTS state. 

Definition 5.17 (ChangeLabel). For a given KMTS M = {S, Sq, Rmust, Rmay, L), a state 
s G S and an atomic CTL formula cp with cp G 2^^^, ChangeLabel{M, s, cp) is the KMTS 
KP — (^S^ Sq^ Rmust, Rmay , SUch that L — (Z/ U {lnew'\ fol* laid — ,1'll^old) and 

Inew = (S) litnew) where litnew = L{s) U {lit I lit G (p} — {mlit I lit G (p}. n 

Basic repair operation ChangeLabel gives the possibility of repairing a model by changing 
the labeling of a state, thus without inducing any changes in the structure of the model 
(number of states or transitions). Fig. [^presents the application of ChangeLabel in a 
graphical manner. 

Proposition 5.18. For any M' = ChangeLabel{M, s, (p), it holds that d{M,M') = 1. O 
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Figure 9. ChangeLabel: Changing the labeling of a KMTS state 


Definition 5.19. Let M = {S, Sq, R, L) be a KS a nd let a{M) = (S, Sq, Rmust, Rmay, L) be 

Also, let M' = ChangeLabel{a{M), s, 4>) 


3.1 


the abstract KMTS derived from M as in Def. 

for some s £ S and (j) £ 2^^^. The KS M' £ whose structural distance d from M is 

minimized, is given by: 

M = (S', So, R, L — Lqi^ U Lng^yj\ (5.5) 


where 

Lold \Jold ^Hold) I 'S £ S £ S, ~'litold ^ 4^ and Igld ^ dj} 

Lnew — \Jnew — (s, litnew) I S £ y(s), S £ S, litfiew £ and Inew ^ L} 

□ 


Proposition 5.20. For M', it holds that 1 < d{M,M') < |S|. 

Proof. d{M,M') = ISAS'I + \RAR'\ + _ Because = 0 and 

\RAR'\ = 0, d{M,M') = l^(^rsns')A7r(L9snsdl ^ \Loid\+jL„e^\ ^ ^ It holds that 

Lnew > 1 and Lmw < ISI. So, we prove that 1 < d{M,M') < |S|. □ 


5.2.6. Adding a new KMTS state. 

Definition 5.21 (AddState). For a given KMTS M = {S, Sq, Rmust, Rmay, L) and a state 
Sn ^ S, AddState{M , Sn) is the KMTS M' = (S', Sq, Rmust, Rmay, L') such that S' = Su{sn} 
and U = LU {In}, where In = (sn, T). □ 


The most important issues for function AddState is that the newly created abstract 
state Sn is isolated, thus there are no ingoing or outgoing transitions for this state, and 
additionally, the labeling of this new state is T. Another conclusion from Def. 5.21 is the 
fact that the inserted stated is not permitted to be initial. Application of function AddState 
is presented graphically in Fig. [T^ 


Proposition 5.22. For any M' = AddState{M, Sn), it holds that d{M,M') = 1. U 
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Figure 10. AddState: Adding a new KMTS state 


Definition 5.23. Let M = (S, So, R, L) be a KS and let a{M) = {S,So,Rmust,Rmay,L') 
be the abstract KMTS derived from M as in Def. 3.1 Also, let M' = AddState{a{M), Sn) 
for some ^ S. The KS M' G 7 (M'), whose structural distance d from M is minimized is 
given by: 

M' = {SU{Sn},So,R,LU{ln}) (5.6) 

where Sn G lisn) and In = {sn, T). □ 


Proposition 5.24. For M', it holds that d{M,M') = 1. 

Proof. d{M,M') = |5A5'| + \R/\R'\ + \^iL\sns')^^iP\sns')\ _ Because \R/\R'\ = 0 and 
|7r(L r5n50Avr(L' \sns')\=0, d{M,M') = |5A5'| = |5 - 5'| + |5'- = 0 + |K}| = 1. 
So, we proved that d{M, M') = 1. □ 


5.2.7. Removing a disconnected KMTS state. 


Definition 5.25 (RemoveState). For a given KMTS M = {S, So, Rmust, Rmay, L) and a 
state Sr £ S such that Vs G 5 : (s,Sr) 0 Rmay A (sr,s) 0 Rmay, RemoveState{M,Sr) is 
the KMTS M' = {S', Sq, Rmust, Rmay, L') such that S' = S — {sr}, S'q = So — {sr} and 
L' = L — {Ir}, where Ir = (s,., lit) G L. □ 


From Def. |5.25 it is clear that the state being removed should be isolated, thus there 
are not any may- or must-transitions from and to this state. This means that before using 
RemoveState to an abstract state, all its ingoing or outgoing must have been removed 
by using other basic repair operations. RemoveState are also used for the elimination of 
dead-end states, when such states arise during the repair process. Fig. presents the 
application of RemoveState in a graphical manner. 


Proposition 5.26. For any M' = RemoveState{M, Sr), it holds that d{M,M') = 1. O 
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Figure 11. RemoveState: Removing a disconnected KMTS state 


Definition 5.27. Let M = {S, Sq, R, L) be a KS and let a{M) = (S, Sq, Rmust, Rmay, L) be 
the abstract KMTS derived from M as in Def. 3.1, Also, let M' = RemoveState{a{M), Sr) 
for some Sr G S with Ir = {sr,lit) G L. The KS M' G whose structural distance d 

from M is minimized, is given by: 

M' = {S', S'q, R', L') s.t. S' = S- Sr, S'o = So- Sr, R' = R,L' = L- Lr (5.7) 


where Sr = | G 5 and Sr G 7(sr)} and Lr = {lr = {sr-, Ht) \ lr G L}. 


□ 


Proposition 5.28. For M', it holds that 1 < d{M,M') < 151. 

Proof. d{M,M') = |5A5'| + \RAR'\ + . Because \RAR'\ = 0 and 

|7r(L (sns')! = 0, d{M, M') = |5A5'| = |5 - 5'| + |5' - 5| = |5.| + 0 = |5.|. It 

holds that |Sr| > 1 and |5r-| < |5|. So, we proved that 1 < d{M,M') < |5|. □ 


5.2.8. Minimality Of Changes Ordering For Basic Repair Operations. The distance metric 
d of Def. 4.1 reflects the need to quantify structural changes in the concrete model that 


are attributed to model repair steps applied to the abstract KMTS. Every such repair step 
implies multiple structural changes in the concrete KSs, due to the use of abstraction. In 
this context, our distance metric is an essential means for the effective application of the 
abstraction in the repair process. 

Based on the upper bound given by Prop. 5.4 and all the respective results for the other 
basic repair operations, we introduce the partial ordering shown in Fig. 12 This ordering is 


used in our Abstract Repair algorithm to heuristically select at each step the basic repair 
operation that generates the KSs with the least changes. When it is possible to apply more 
than one basic repair operation with the same upper bound, our algorithm successively uses 
them until a repair solution is found, in an order based on the computational complexity of 
their application. 

If instead of our approach, all possible repaired KSs were checked to identify the 
basic repair operation with the minimum changes, this would defeat the purpose of using 
abstraction. The reason is that such a check inevitably would depend on the size of concrete 
KSs. 
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Figure 12. Minimality of changes ordering of the set of basic repair operations 


Algorithm 1 AbstractRepair 

Input: M = {S, Sq, Rmust, Rmay, L), s £ S, a CTL property 4> in PNF for which (M, s) ^ cj), 
and a set of constraints C = {(sc^, (pci), (sc 2 : 4>C2)-, ■■■■, (^c„) '^c„)} where £ S and (j)ci is 
a CTL formula. 

Output: M' = {S', 5', R'^,y, L') and {M', s) |= or FAILURE. 

1: if (f) is false then 
2: return FAILURE 

3: else if 4> £ LIT then 

4: return AbstractRepair atomic{M , s, (j),C) 

5: else if (/> is (/>i A (/>2 then 

6: return AbstractRepair and{M, s,f),C) 

7: else if (f is (fiM (/>2 then 

8: return Abstr act Repair or{M ,8,4), C) 

9: else if f is OPERcpi then 
10 : return AbstractRepairopER{M , s, (j),C) 

11 : where OPER £ {AX, EX, AU, EU, AE, EE, AG, EG} 


6. The Abstract Model Repair Algorithm 

The AbstractRepair algorithm used in Step 3 of our repair process is a recursive, syntax- 
directed algorithm, where the syntax for the property 4 in question is that of CTL. The 
same approach is followed by the SAT model checking algorithm in |39j and a number of 
model repair solutions applied to concrete KSs [551 E!. In our case, we aim to the repair 
of an abstract KMTS by successively calling primitive repair functions that handle atomic 
formulas, logical connectives and CTL operators. At each step, the repair with the least 
changes for the concrete model among all the possible repairs is applied first. 

The main routine of AbstractRepair is presented in Algorithmic If the property 4 is 
not in Positive Normal Eorm, i.e. negations are applied only to atomic propositions, then 
we transform it into such a form before applying Algorithm [C 
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An initially empty set of constraints C = {(scj, </>ci), {sc2-,(t>c2)i ■■■■, isc„, 4 'c„)} is passed 
as an argument in the successive recursive calls of AbstractRepair. We note that these 
constraints can also specify existing properties that should be preserved during repair. If 
C is not empty, then for the returned KMTS M\ it holds that {M',Sci) N 4’ci for all 
{sci,(pci) £ C. For brevity, we denote this with M' |= C. We use C in order to handle 
conjunctive formulas of the form (p = 4>i /\ (p 2 for some state s. In this case, AbstractRepair 
is called for the KMTS M and property (pi with C = {(s,i;A 2 )}- The same is repeated for 
property 02 with C = {(s,0i)} and the two results are combined appropriately. 

For any CTL formula 0 and KMTS state s, AbstractRepair either outputs a KMTS M' 
for which (M', s) |= 0 or else returns FAILURE, if such a model cannot be found. This is 
the case when the algorithm handles conjunctive formulas and a KMTS that simultaneously 
satisfies all conjuncts cannot be found. 


Algorithm 2 AbstractRepair atomic 


Input: M = (S', Sq, Rmust, Rmay, L), s G S, a CTL property 0 where <p is an 

atomic formula 


for which {M,s) ^ 0, and a set of constraints C = {(sci,0ci), {sc 2 ,(pc 2 
where s^ G S and 0^ is a CTL formula. 

): •••: ('Sc„) 0c„)} 

Output: M' = (S', Sq, R'must, ^'may, ^') (M', s) = 0 or FAILURE. 


1 

M' := ChangeLabel{M, s, 0) 


2 

if M' = C then 


3 

return M' 


4 

else 


5 

return FAILURE 



Algorithm 3 Abstract Repair or 

Input: M = (S, Sq, Rmust, Rmay, L), s G S, a CTL property 0 = 0i V 02 for which 
(M,s) ^ 0, and a set of constraints C = ((scj, 0ci), (sca, 0C2), •••, (sc„, 0c„)) where 
Sci £ S and (pa is a CTL formula. 

Output: M' = (i', R'^^y, L'), s G S' and (M', s) ^ 0 or FAILURE. 

1 : RETi := AbstractRepair{M, s, 0i, C) 

2: RET 2 := AbstractRepair{M, s, 02, C) 

3 : if RETi / FAILURE kk RET 2 / FAILURE then 
4 : Ml := REEi 

5 : M2 '■= REE2 

6 : M' := MinimallyChanged{M, Ml, M 2 ) 

7 : else if RETi 7^ FAILURE then 
8 : M' := RETi 

9: else if RET 2 7 ^ FAILURE then 
10 : M' := RET 2 

11 : else 

12 : return FAILURE 

13 : return M' 
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Algorithm 4 Abstract Repair and 

Input: M = (S, Sq, Rmust, Rmay, L), s G S, a CTL property (/> = (/>i A (/>2 for which 
(M,s) ^ (f), and a set of constraints C = ((scj, (/'cj, (sca, </>c 2 ), (sc„, where 

Sc^ G S and (pa is a CTL formula. 

Output: M' = (S', S', R'^,y, U), s G S' and (M', s) ^ or FAILURE. 

1: RETi := Ab str act Repair {M ^ s, pi, C) 

2 : RET 2 := AbstractRepair{M, s, p 2 , C) 

3: Cl := C U {(s, Pi)}, C 2 := C U {{s, P2)} 

4: RET[ := FAIURE, RET^ := EAIURE 
5: if RETi / FAILURE then 
6 : Ml := RETi 

7: RET[ := AbstractRepair{Mi,s,p 2 ,Ci) 

8 : if RET{ / FAILURE then 

9 : M[:= RET[ 

10 : if RET 2 + FAILURE then 
11: M 2 := RET 2 

12 : RET 2 := AbstractRepair{M 2 , s, pi, C 2 ) 

13: if RET^ / FAILURE then 

14: MI 2 := RET^ 

15: if RET[ / FAILURE && RET^ / FAILURE then 
16: M' := Minimally Chang ed{M, M[, M 2 ) 

17: else if RET[ / FAILURE then 
18: M' := RET{ 

19: else if RET 2 FAILURE then 
20 : M' := RET!2 

21: else 

22 : return FAILURE 

23: return M' 


6 .1. Primitive Functions. Algorithm describes AbstractRepair atomic ^ which for a 
simple atomic formula, updates the labeling of the input state with the given atomic 
proposition. Disjunctive formulas are handled by repairing the disjunct leading to the 
minimum change (Algorithm]^, while conjunctive formulas are handled by the algorithm 
with the use of constraints (Algorithm]^. 

Algorithm describes the primitive function Ab struct Repair ag which is called when 
p = AGpi- If Abstr act Repair ag is called for a state s, it recursively calls AbstractRepair 
for s and for all reachable states through may-transitions from s which do not satisfy pi. 
The resulting KMTS M' is returned, if it does not violate any constraint in C. 

AbstractRepair EX presented in Algorithm is the primitive function for handling 
properties of the form EXpi for some state s. At hrst, Abstr act Repair ex attempts to 
repair the KMTS by adding a must-transition from s to a state that satishes property pi. If 
a repaired KMTS is not found, then AbstractRepair is recursively called for an immediate 
successor of s through a must-transition, such that pi is not satisfied. If a constraint in C is 
violated, then (i) a new state is added, (ii) AbstractRepair is called for the new state and 
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Algorithm 5 Ahstr act Repair ag 

Input: M = (S', Sq, Rmust, Rmay, L), s G S, a CTL property (f) = AG4>i for which (M, s) ^ 
(/), and a set of constraints C = {(sci, {sc2,4>c2), ■■■, {sc„,4>cn)} where G S and 4>ci 
is a CTL formula. 

Output: M' = (S', S', R'^,y, U) and (M', s) ^ or FAILURE. 

1: if {M,s) ^ (^1 then 

2: RET := Ab str act Repair {M ^ s, C) 

3: if RET == FAILURE then 

4: return FAILURE 

5: else 

6: M' := RET 

7 : else 

8 : M' :=M 

9: for all reachable states Sk through may-transitions from s such that (M', Sk) do 

10: RET := AbstractRepair{M',Sk,4>i,C) 

11: if RET == FAILURE then 

12: return FAILURE 

13: else 

14: M' := RET 

15: if M' 1= C then 
16: return M' 

17: return FAILURE 


(hi) a must-transition from s to the new state is added. The resulting KMTS is returned by 
the algorithm if all constraints of C are satisfied. 

Algorithm presents primitive function Ahstr act Repair ax which is used when (j) = 
AX (1)1. Firstly, Ahstr act Repair ax tries to repair the KMTS by applying AbstractRepair 
for all direct may-successors Si of s which do not satisfy property </>i, and in the case that 
all the constraints are satished the new KMTS is returned by the function. If such states do 
not exist or a constraint is violated, all may-transitions (s, s,) for which (M,Si) ^ ())i, are 
removed. If there are states s, such that := (s, Si) G Rmay and all constraints are satished 
then a repaired KMTS has been produced and it is returned by the function. Otherwise, a 
repaired KMTS results by the application of AddMay from s to all states Sj which satisfy 
(/>!. If any constraint is violated, then the KMTS is repaired by adding a new state, applying 
AbstractRepair to this state for property (/)i and adding a may-transition from s to this 
state. If all constraints are satished, the repaired KMTS is returned. 

AbstractRepair eg which is presented in Algorithm is the primitive function which 
is called when input CTL property is in the form of EG(l)i. Initially, if cpi is not satished 
at s AbstractRepair is called for s and (pi, and a KMTS Mi is produced. At hrst, a must- 
transition is added from s to a state si of a maximal must-path (i.e. a must-path in which each 
transition appears at most once) iTmust ■= ['Si)S 2 ,...] such that Vs* G TTmust, {Mi,Si) |= cpi. 
If all constraints are satished, then the repaired KMTS is returned. Otherwise, a KMTS is 
produced by recursively calling AbstractRepair to all states Sj 7 ^ s of any maximal must-path 
T^must '■= ['Si 5 'S 2 ) •••] with Vsj G TTmust, (Mi, Si) ^ (pi- If there are violated constraints in G, 
then a repaired KMTS is produced by adding a new state, calling AbstractRepair for this 
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Algorithm 6 AbstractRepair ex 

Input: M = (S', Sq, Rmust, Rmay, L), s G S, a CTL property (j) = EX(l)i for which (M, s) ^ 
4>, and a set of constraints C = {(sc^, 4>ci), (sc 2 > '/’C 2 )) •••) (^c„, 4‘cn)} where G M and 
(l)c^ is a CTL formula. 

Output: M' = (S', S', ZJ) and (M', s) ^ cj) 01 FAILURE. 

1: if there exists si G S such that (M, si) \= (/>i then 
2: for all Si £ S such that (M, Si) |= (pi do 

3: fj := {s,Si), M' := AddMust{M,ri) 

4: if M' ^ C then 

5: return M' 

6: else 

7: for all direct must-reachable states Si from s such that (M, Sj) ^ (/>i do 

8 : RET := AbstractRepair{M, Si,(pi,C) 

9: if RET ^ FAILURE then 

10 : M' := RET 

11: return M' 

12 : M' := AddState{M, Sn), In ■= {s,Sn), M' '■= AddMust{M',rn) 

13: Vn .— (Snj In) 

14: M' := AddMay(M',rn) 

15: RET := AbstractRepair{M',Sn, (pi, C) 

16: if RET ^ FAILURE then 

17: M' ;= RET 

18: return M' 

19: return FAILURE 


state and property (pi and calling AddMust to insert a must-transition from s to the new 
state. The resulting KMTS is returned by the algorithm, if all constraints in C are satisfied. 

AbstractRepair af shown in Algorithm is called when the CTL formula (p is in the 
form of AFcpi. While there is maximal may-path Xmay '■= [•SjSi,...] such that Vs* G F^ay, 
{M',Si) ^ (pi, AbstractRepair af tries to obtain a repaired KMTS by recursively calling 
AbstractRepair to some state s* G F^ay If all constraints are satisfied to the new KMTS, 
then it is returned as the repaired model. 

AbstractRepair ef shown in Algorithm 10 is called when the CTL property (p is in the 
form EF(pi. Initially, a KMTS is acquired by adding a must-transition from a must-reachable 
state Si from s to a state Sk £ S such that {M,Sk) |= (pi- If all constraints are satisfied 
then this KMTS is returned. Otherwise, a KMTS is produced by applying AbstractRepair 
to a must-reachable state Si from s for (pi. If none of the constraints is violated then this 
KMTS is returned. At any other case, a new KMTS is produced by adding a new state Sn, 
recursively calling AbstractRepair for this state and (pi and adding a must-transition from 
s or from a must-reachable Si from s to Sn- If all constraints are satisfied, then this KMTS 
is returned as a repaired model by the algorithm. 

AbstractRepairAu is presented in Algorithm 11 and is called when (p = A{(piU(p2)- If 
(pi is not satisfied at s, then a KMTS Mi is produced by applying AbstractRepair to s for 
(pi- Otherwise, Mi is same to M. A new KMTS is produced as follows: for all may-paths 
Fmay ■= such that Vsj G Fmay, {Ml, Si) ^ (pi and for which there does not 
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Algorithm 7 AbstractRepair ax 

Input: M = (S', Sq, Rmust, Rmay, L), s G S, a CTL property (j) = AX(l)i for which (M, s) ^ 
4>, and a set of constraints C = {(sc^, 4>ci), (sc 2 > '/’C 2 )) •••) (^c„, 4‘cn)} where G M and 
(l)c^ is a CTL formula. 

Output: M' = (S', S', R'^,y, U) and (M', s) ^ cj) 01 FAILURE. 

1 : M' := M 

2 : RET := FAILURE 

3: for all direct may-reachable states Si from s with (s,.Sj) G Rmay do 

4: if (M', Sj) ^ 4>i then 

5: RET := AbstractRepair{M',Si,(pi,C) 

6: if RET == FAILURE then 

7: BREAK 

8 : M' := RET 

9: if RET / FAILURE then 
10: return M' 

11: M' := M 

12: for all direct may-reachable states Si from s with r* := {s,Si) G Rmay do 

13: if (M', Si) ^ cj)i then 

14: M' := RemoveMay{M',fi) 

15: if there exists direct may-reachable state si from s such that (s,si) G Rmay then 
16: if M' 1= C then 

17: return M' 

18: else 

19: for all Sj G S such that (M', Sj) \= c/)i do 

20 : Tj := {s, Sj), M' := AddMay{M', rj) 

21: if M' \= C then 

22 : return M' 

23: M' := AddState{M, Sn) 

24: if Sn is a dead-end state then 

25: In := isn,Sn), M' ■= AddMay{M', In) 

26: RET := AbstractRepair{M',Sn,4’ijC) 

27: if RET ^ FAILURE then 

28: M' := RET, In ■= {s,Sn), M' := AddMay{M',In) 

29: if M' \= C then 

30: return M' 

31: return EAILURE 


Im '■= ism,Sn) G Rmay with {Mi, Sn) ^ </> 2 ) Abstract Repair is called for property (j)2 for 
some state Sj G Xmay with (Mi, Sj) (j)2- If the resulting KMTS satisfies all constraints, 
then it is returned as a repair solution. 

Ab str act Repair Eu is called if for input CTL formula (f) it holds that (p = E{<piU(j)2)- 
Ab str act Repair Eu is presented in Algorithm Firstly, if pi is not satisfied at s, then 
Abstract Repair is called for s and pi and a KMTS Mi is produced for which (Mi, s) \= pi- 
Otherwise, Mi is same to M. A new KMTS is produced as follows: for a must-path 
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Algorithm 8 Abstract Repair eg 

Input: M = (S, Sq, Rmust, Rmay, L), s G S, & CTL property (/> = EG4>i for which (M, s) ^ 
(f), and a set of constraints C = {(sci, {sc2,4>c2), ■■■, (^cn, where Sc^ G S and (pa 
is a CTL formula. 

Output: M' = {S', 5', R'^,y, U) and {M', s) |= ^ or FAILURE. 

1: Ml ;= M 

2: if (M, s) ^ (pi then 

3: RET := AbstractRepair{M, s,(pi,C) 

4: if RET == EAILURE then 

5: return FAILURE 

6: Ml '.= RET 

7: while there exists maximal path TTmust '■= [si, S 2 , ••■] such that Vs* G nmust it holds that 
(Ml, Si) 1= (pi do^ 

8: fi := (s,si), M' := AddMust{Mi,fi) 

9: if M' 1= C then 

10: return M' 

11: while there exists maximal path TTmust ■= [s, si, ^ 2 ,...] such that Vs* / s G TTmust it 
holds that (Mi, Si) ^ (pi do 
12: M' := Ml 

13: for allji G TTmust do 

14: if {Ml, Si) ^ (pi then 

15: RET := AbstractRepair{M',Si,(pi,C) 

16: if RET / FAILURE then 

17: M' := RET 

18: else 

19: continue to next path 

20: return M' 

21: M' := AddState{Mi,Sn) 

22: RET := Abstract Repair {M',Sn, (pi, C) 

23: if RET ^ FAILURE then 
24: M' := RET 

25: f„ := {s,Sn), M' := AddMust{M',rn) 

26: if Sn is a dead-end state then 

27: In '■= {sn,Sn), M' ;= AddMust{M',rn) 

28: if M' 1= C then 

29: return M' 

30: return FAILURE 


TTmust := [si, •••, Sm] such that Vsi G TTmust, (Ml, Si) |= (pi and for a sj G S with (Mi, sj) |= (p 2 , 
a must-transition is added from Sm to Sj. If all constraints are satisfied then the new KMTS 
is returned. Alternatively, a KMTS is produced by adding a new state Sn, recursively calling 
Abstract Repair for (p 2 and Sn and adding a must-transition from s to s^. In the case that 
no constraint is violated then this is a repaired KMTS and it is returned from the function. 
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Algorithm 9 AbstractRepair af 

Input: M = (S', Sq, Rmust, Rmay, L), s G S, a CTL property (p = AFcpi for which (M, s) ^ 
(p, and a set of constraints C = {(sci, {sc2,4>c2), ■■■, {sc„,(pcn)} where G S and (p^ 
is a CTL formula. 

Output: M' = (S', S', R'^,y, U) and (M', s) ^ (P oi FAILURE. 

1: M' := M 

2: while there exists maximal path Fmay '■= [s, si,...] such that G F^ay it holds that 
{M',Si) ^ (pi do 
3: for all Si G Fmay do 

4: RET ■.= Abstract Repair {M', Si, (p\,C) 

5: if RET ^ FAILURE then 

6: M' := RET 

7: continue to next path 

8 : return FAILURE 

9: return M' 


6.2. Properties of the Algorithm. AbstractRepair is well-defined |49] . in the sense that 
the algorithm always proceeds and eventually returns a result M' or FAILURE such that 
{M',s) \= (p, for any input M, (p and C, with {M,s) ^ (p. Moreover, the algorithm steps 
are well-ordered, as opposed to existing concrete model repair solutions [HIES] that entail 
nondeterministic behavior. 

6 . 2 . 1 . Soundness. 

Lemma 6.1. Let a KMTS M, a CTL formula cp with {M,s) ^ (p for some s of M, and 
a setC = {{sc^_Acfi}fisc 2 ■,(pc 2 )■,■■■■,{son,(pcr^] with {M,Sci) 1= for all iscn,(pcj G C. If 
AbstractRepair{M, s, (p, C) returns a KMTS M', then {M',s) ^ (p and {M',Scf) ^ (pa for 
all {,Scii(pci) G C. 

Proof. We use structural induction on fi. For brevity, we write M ^ C to denote that 
{M,Sci) 1= ^Ci, for all {sciAci) G C. 

Base Case: 

• if (/> = T, the lemma is trivially true, because (M, s) |= (p 

• \i (p = L, then AhstractRepair{M, s, (p, C) returns FAILURE at line 2 of Algorithm and 
the lemma is also trivially true. 

• (p = p G AP, AbstractRepair atom ic{h^ 1 s,p, C) is called at line 4 of Algorithm and 
an M' = ChangeLabel{M,s,p) is computed at line 1 of Algorithm]^ Since p G L'{s) in 
M', from 3-valued semantics of CTL over KMTSs we have {M',s) |= (p. Algorithm]^ 
returns M' at line 3, if and only if M' ^ C and the lemma is true. 

Induction Hypothesis: For CTL formulae (pi,(p 2 , the lemma is true. Thus, for cpi (resp. A), 
if Ab str act Repair {M, s, (pi, C) returns a KMTS M', then (M', s) |= (pi and M' \= C. 
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Algorithm 10 Abstract Repair ef 

Input: M = (S', Sq, Rmust, Rmay, L), s G S, a CTL property (j) = EFcpi for which (M, s) ^ 
(/), and a set of constraints C = {(sci, {sc^,4>c2), ■■■, {sc„,4>cn)} where s^ G S and 4>ci 
is a CTL formula. 

Output: M' = (S', S', R'^^y, U) and (M', s) ^ 4> oi FAILURE. 

1: for all must-reachable states s* * from s with (M, Sj) ^ or Si := s do 
2: for all Sk G S such that (M, Sk) ^ (pi do 

3: ffc := (sj,Sfc), M' := AddMust{M,fk) 

4: if M' ^ C then 

5: return M' 

6: for all must-reachable states s* from s with {M,Si) ^ (jii do 
7: RET := Ab str act Repair {M ^ Si, (pi, C) 

8: if RET ^ FAILURE then 

9: M' := RET 

10: return M' 

11: Ml := AddState{M', Sn), RET := AbstractRepair{Mi, Sn, (pi,C) 

12: if RET ^ FAILURE then 
13: Ml := RET 

14: for all must-reachable states Si from s with (M, Si) ^ (pi or Sj := s do 

15: fj := {si,Sn), M' := AddMust{Mi,fi) 

16: if Sn is a dead-end state then 

17: In ■= {sn,Sn), M' := AddMust{M',rn) 

18: if M' \= C then 

19: return M' 

20: return FAILURE 


Inductive Step: 

• li (p = (pi's/ (p2, then AbstractRepair{M, s, (p, C) calls AbstractRepaironiM , s, (pi V (p2, C) 
at line 8 of Algorithm From the induction hypothesis, if a KMTS Mi is returned by 
AbstractRepair{M,s,(pi,C) at line 1 of Algorithm and a KMTS M 2 is returned by 
Abstr act Repair {M ,s,(p2,C) respectively, then {Mi,s) |= (pi, Mi \= C and (M 2 ,s) |= pi, 
M2 1= C. Abstr act Repair o r{M , s, pi^ p2s C) returns at line 8 of Algorithm the KMTS 
M', which can be either Mi or M 2 . Therefore, (M', s) \= pi or (M', s) \= p2 and M' |= C 
in both cases. From 3-valued semantics of CTL, (M', s) |= pi V p2 and the lemma is true. 

• A p = pi/\p 2 , then Abstract Repair {M, s, p, C) calls Abstr act Repair an d{M , s, piAp 2 , C) 
at line 6 of Algorithm From the induction hypothesis, if at line 1 of Algorithm 
AbstractRepair{M, s,pi,C) returns a KMTS Mi, then (Mi,s) \= pi and Mi ^ C. 
Consequently, Mi \= Ci, where Ci = CL){s, pi). At line 7, if AbstractRepair{Mi, s, p 2 , Ci) 
returns a KMTS M(, then from the induction hypothesis (M{, s) |= p 2 and M{ |= Ci. 

In the same manner, if the calls at lines 2 and 12 of Algorithm return the KMTSs 
M 2 and M 2 , then from the induction hypothesis (M 2 , s) |= p 2 , M 2 ^ C and (M^, s) |= pi, 
M 2 1= C 2 with 6*2 = C U {s, p 2 ). 
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Algorithm 11 Abstr act Repair au 

Input: M = {S, So, Rmust, Rmay, L), s G S, a CTL property (j) = A{(f>iU(j)2) for which 
(M,s) ^ (j), and a set of constraints C = {{sc^,4>c^),{sc2,4>c2), where 

Sci G S and (j)^ is a CTL formula. 

Output: M' = (S', S', R!^,y, U) and (M', I) |= ^ or FAILURE. 

1: Ml := M 

2: if (M, s) ^ (/)i then 

3: RET := AbstractRepair{M, s, (j)i, C) 

4: if RET == FAILURE then 

5: return FAILURE 

6: else 

7: Ml := RET 

8: while there exists path iTmay ■= [si, •••, Sm\ such that Vsj G iTmay it holds that (Mi, Si) \= 
(/>! and there does not exist := {sm, Sn) G Rmay such that (Mi, Sn) |= (t>2 do 
9: for all Sj G TTmay for which (Ml, Sj) ^ (^2 with Sj ^ si do 

10: RET := AbstractRepair{Mi, Sj,(j) 2 ,C) 

11: if RET ^ FAILURE then 

12: M' := RET 

13: continue to next path 

14: return FAILURE 

15: return M' 


The KMTS M' at line 6 of Algorithm can be either M[ or M^ and therefore, 
(M'j s) \= (pi, (M', s) 1= (p 2 and M' \= C. From 3-valued semantics of CTL it holds that 
(M', s) 1= (pi A (p 2 and the lemma is true. 

• if (p = EX(pi, Abstract Repair {M, s, (p, C) calls AbstractRepairEx{M, s, EXcpi, C) at line 
10 of Algorithm 

If a KMTS M' is returned at line 5 of Algorithm]^ there is a state si with (M, si) \= (pi 
such that M' = AddMust{M, {s, si)) and M' |= C. From 3-valued semantics of CTL, we 
conclude that (M', s) \= EX (pi. 

If a M' is returned at line 11, there is (s,si) G Rmust such that (M',si) |= (pi and 
M' 1= C from the induction hypothesis, since M' = Abstr act Repair {M, si,(pi,C). From 
3-valued semantics of CTL, we conclude that {M',s) ^ EX(pi. 

If a M' is returned at line 18, a must transition (s, Sn) to a new state has been added 
and M' = AbstractRepair{AddMust{M,{s,Sn)),Sn,(pi,C). Then, from the induction 
hypothesis (M', s„) \= (pi, M' \= C and from 3-valued semantics of CTL, we also conclude 
that (M',s) ^ EXP)i. 

• if (p = AG(pi, AbstractRepair{M, s, (p, C) calls Abstr act Repair ag{^ , s, AG(pi, G) at line 
10 of Algorithmic If (M, s) ^ (pi and AbstractRepair{M, s, (pi,G) returns a KMTS Mq 
at line 2 of Algorithmic then from the induction hypothesis (Mq, s) |= (pi and Mq |= G. 
Otherwise, Mq = M and (Mq, s) |= (pi also hold true. 

If Algorithm |C returns a M' at line 16, then M' |= G and M' is the result of successive 
AbstractRepair{Mi,Sk,(pi,G) calls with Mi = AbstractRepair{Mi-i, Sk,(pi,C) and i = 
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Algorithm 12 Abstract Repair eu 

Input: M = {S, So, Rmust, Rmay, L), s & S, a CTL property (f> = E{(piU4>2) for which 
(M,s) ^ (j), and a set of constraints C = {{sc^,4>c^),{sc2,4>c2), where 

Sci e S and (j)^ is a CTL formula. 

Output: M' = (S', S', R!^,y, U) and (M', I) |= ^ or FAILURE. 

1: Ml := M 

2: if (M, s) ^ (j)i then 

3: RET := AbstractRepair{M, s, 4>i, C) 

4: if RET == FAILURE then 

5: return FAILURE 

6: else 

7: Ml := RET 

8: while there exists path TTmust ■= [si, such that Vsj G T^must, {Mi,Si) |= c^i do 

9: for all Sj G S with (Mi,Sj) |= (/>2 do 

10 : rj := {sm,Sj), M' := AddMust{Mi,fj) 

11: if M' \= C then 

12: return M' 

13: M' := AddState{Mi,Sk) 

14: RET ■.= AbstractRepair{M',Sk,(i) 2 ,C) 

15: if RET ^ FAILURE then 
16: M' := RET 

17: r„ := (s,Sfc), M' := AddMust{M',rn) 

18: if Sfc is a dead-end state then 

19: ffc := {sk,Sk), M' := AddMust{M',fk) 

20: if M' 1= C then 

21: return M' 

22: return FAILURE 


1,..., for all may-reachable states Sk from s such that (Mo,Sfc) ^ (t>i. From the induction 
hypothesis, {M',Sk) |= 4>i and M' |= C for all such Sk and from 3-valued semantics of 
CTL we conclude that (M', s) \= AGcpi. 

We prove the lemma for all other cases in a similar manner. O 

Theorem 6.2 (Soundness). Let a KMTS M, a CTL formula (f with (M, s) ^ (j), for some 
s of M. If AbstractRepair{M, s, (j),%) returns a KMTS M', then {M' ,s) \= f. 


Proof. We use structural induction on cf and Lemma 6.1 in the inductive step for cfi A (f> 2 - 


Base Case: 

• if (/> = T, Theorem 


6.2 


is trivially true, because (M, s) |= (j). 
if (/> = T, then AbstractRepair{M, s, T, 0) returns FAILURE at line 2 of Algorithmand 
the theorem is also trivially true. 

if f = p € AP, Ab,stractRepairATOMiciM,s,p,^) is called at line 4 of Algorithmand 
an M' = ChangeLabel(M, s,p) is computed at line 1. Because of the fact that p G L'{s) 
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in M', from 3-valued semantics of CTL over KMTSs we have (M', s) |= (j). Algorithm]^ 
returns M' at line 3 because C is empty, and the theorem is true. 


Induction Hypothesis: For CTL formulae (j)i, 4>2, the theorem is true. Thus, for (pi (resp. 
(p 2 ), if Abstr act Repair {M, s, cp, 0) returns a KMTS M', then (M', s) \= (pi- 


Inductive Step: 

• (p = (piV (p2, then AbstractRepair{M, s, (p, 0) calls AbstractRepairoR{M, s, (pi V (p2,^) 
at line 8 of Algorithmic 

From the induction hypothesis, if AbstractRepair{M, s, (pi,9) returns a KMTS Mi at 
line 1 of Algorithm 1^ and AbstractRepair{M,s,(p 2 ,^) returns a KMTS M 2 respectively, 
then (Mi,s) \= (pi and (M 2 ,s) \= (pi. Abstr act Repair or{M , s, (pi V 02 , 0 ) returns at line 
8 of Algorithm the KMTS M', which can be either Mi or M 2 . Therefore, (M', s) |= (pi 
or (M', s) \= 02 - From 3-valued semantics of CTL, (M', s) ^ 0i V 02 and the theorem is 
true. 


if 0 = 01 A 02 , then AbstractRepair{M, s, 0, 0) calls Abstr act Repair an d{M , s, 0i A 02 , 0) 
at line 6 of Algorithm [C From the induction hypothesis, if at line 1 of Algorithm 
AbstractRepair{M, s, (pi,^) returns a KMTS Mi, then (Mi,s) |= 0i. Consequently, 
Ml \= Cl, where Ci = 0 U (s, 0i). At line 7, if AbstractRepair{Mi, s,(p 2 ,Ci) returns a 


KMTS M{, then from Lemma 6.1 (M{, s) \= 02 and Ml |= Ci 


& 


return the KMTSs M 2 and M^, 
{M2,s) ^ 01 , 


6.1 


Likewise, if the calls at lines 2 and 12 of Algorithm 
then from the induction hypothesis (M 2 ,s) \= (p2 and from Lemma 
M 2 1= C 2 with 6*2 = 0 U (s, 02 ). 

The KMTS M' at line 7 of Algorithm]^ can be either M[ or M^ and therefore, (M', s) \= 
01 and (M', s) |= 02 . From 3-valued semantics of CTL it holds that (M', s) ^ 0i A 02 
and the lemma is true. 

if 0 = EXcpi, Ab str act Repair {M ,s,(p,%) calls AbstractRepairRxiM, s, EX(pi,^) at line 
10 of Algorithm [C 

If a KMTS M' is returned at line 5 of Algorithm]^ there is a state si with (M, si) ^ 0i 
such that M' = AddMust{M, (s, si)). From 3-valued semantics of CTL, we conclude that 
(M',s)l=EX(Pi. 

If a M' is returned at line 11, there is (s, si) G Rmust such that (M', si) |= 0i from the 
induction hypothesis, since M' = Abstr act Repair {M, si, (pi, 9). From 3-valued semantics 
of CTL, we conclude that {M',s) |= EXcpi. 

If a M' is returned at line 18, a must transition [s, Sn) to a new state has been added 
and M' = AbstractRepair{AddMust{M ,{s,Sn)),Sn,(pi,^). Then, from the induction 
hypothesis (M', Sn) |= 0i and from 3-valued semantics of CTL, we also conclude that 
(M',l)hKA 0 i. 

if 0 = AGcpi, AbstractRepair{M ,s,(p,%) calls Ab.str act Repair ag{M , s, AG (pi, at line 
10 of Algorithmic If {M,s) ^ 0i and Abstr act Repair {M, s, (pi, returns a KMTS Mq 
at line 2 of Algorithmic then from the induction hypothesis (Mo,s) \= (pi. Otherwise, 
Mq = M and (Mq, s) \= (pi, Mq |= C also hold true. 

If Algorithm |C returns a M' at line 16, this KMTS is the result of successive calls 
of AbstractRepair{Mi,Sk,(pi,%) with Mj = AbstractRepair{Mi-i, s^, (pi,9) and i = 1,..., 
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for all may-reachable states from s such that {Mo,Sk) ^ 4>i- From the induction 
hypothesis, (M', Sk) |= <pi for all such Sk and from 3-valued semantics of CTL we conclude 
that {M',s) ^ AG<j)i. 

We prove the theorem for all other cases in the same way. D 


Theorem 


6.2 


shows that AbstractRepair is sound in the sense that if it returns a KMTS M', 
then M' satisfies property cj). In this case, from the definitions of the basic repair operations, 
it follows that one or more KSs can be obtained for which (p holds true. 


6.2.2. Semi-completeness. 

Definition 6.3 (mr-CTL). Given a set AP of atomic propositions, we dehne the syntax of 
a CTL fragment inductively via a Backus Naur Form: 

(j) ::==T I T I p I (-’</>) \{4>\/ (j))\ AXp \ EXp \ AFp 
I EFp I AGp I EGp \A[pUp] \E[pUp] 

where p ranges over AP. 

mr-CTL includes most of the CTL formulae apart from those with nested path quantifiers 
or conjunction. 

Theorem 6.4 (Completeness). Given a KMTS M, an mr-CTL formula p with (M, s) ^ p, 
for some s of M, if there exists a KMTS M" over the same set AP of atomic propositions 
with {M",s) 1= (j), AbstractRepair{M, s, 4>,^) returns a KMTS M' such that \= p. 

Proof. We prove the theorem using structural induction on p. 


Base Case: 

• if (/) = T, Theorem 


6.4 


is trivially true, because for any KMTS M it holds that (M, s) \= p. 


if (/) = T, then the theorem is trivially true, because there does not exist a KMTS M" 
such that {M", s) ^ p. 

ifp = p € AP, there is a KMTS M" withp G L”{s) and therefore (M", s) \= p. Algorithmj^ 
calls AbstractRepair atomic{M , s^,^) at line 4 and an M' = GhangeLabel{M,s,p) is 
computed at line 1 of Algorithm Since G is empty, M' is returned at line 3 and 
{M',s) 1= p from 3-valued semantics of CTL. Therefore, the theorem is true. 


Induction Hypothesis: For mr-CTL formulae pi, p2, the theorem is true. Thus, for pi (resp. 

P2), if there is a KMTS M" over the same set AP of atomic propositions with (M", s) |= pi, 

Ab str act Repair {M ,s, pi, tP) returns a KMTS M' such that {M',s) |= pi. 

Inductive Step: 

• p = pi y p2, from the 3-valued semantics of CTL a KMTS that satisfies p exists if and 
only if there is a KMTS satisfying any of the pi, p2. From the induction hypothesis, if there 
is a KMTS M" with (M",s) |= pi, AbstractRepair{M, s, pi, 9) at line 1 of Algorithm]^ 
returns a KMTS M[ such that {M[,s) |= pi. Respectively, AbstractRepair{M,s,p 2 ,%) 
at line 2 of Algorithm can return a KMTS with (M^, s) \= p 2 . In any case, if either 
M[ or M 2 exists, for the KMTS M' that is returned at line 13 of Algorithm we have 
(M', s) 1 = pi or (M', s) ^ p2 and therefore (M', s) |= p. 
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• if (/> = EX(1)1, from the 3-valued semantics of CTL a KMTS that satisfies cf) at s exists if 
and only if there is KMTS satisfying (pi at some direct must-successor of s. 

If in the KMTS M there is a state si with (M,si) \= <pi, then the new KMTS 
M' = AddMust{M, {s, si)) is computed at line 3 of Algorithm]^ Since C is empty M' is 
returned at line 5 and (M', s) |= EXcpi. 

Otherwise, if there is a direct must-successor Si of s, AbstractRepair{M, Si, (pi,^) is 
called at line 8. From the induction hypothesis, if there is a KMTS M" with {M", Si) |= (pi, 
then a KMTS M' is computed such that {M', Si) \= (pi and therefore the theorem is true. 

If there are no must-successors of s, a new state Sn is added and subsequently connected 
with a must-transition from s. Abstract Repair is then called for (pi and Sn as previously 
and the theorem holds also true. 

• it (p = AG(pi, from the 3-valued semantics of CTL a KMTS that satishes (p at s exists, if 
and only if there is KMTS satisfying (pi at s and at each may-reachable state from s. 

AbstractRepair{M,s,(pi,%) is called at line 2 of Algorithmand from the induction 
hypothesis if there is KMTS Mg with (Mg, s) \= (pi, then a KMTS Mq is computed such that 
{Mq,s) 1= (pi- Abstract Repair is subsequently called for (pi and for all may-reachable s^ 
from s with (Mq, Sk) ^ (pi one-by-one. From the induction hypothesis, if there is KMTS 
that satisfies (pi at each such Sk, then all Mi = AbstractRepair{Mi-i, Sk, (pi, 0), * = 1, ..., 
satisfy (pi at Sk and the theorem holds true. 

We prove the theorem for all other cases in the same way. D 


Theorem 6.4 shows that AbstractRepair is semi-complete with respect to full CTL: if there 
is a KMTS that satisfies a mr-CTL formula (p, then the algorithm finds one such KMTS. 


6.3. Complexity Issues. AMR’s complexity analysis is restricted to mr-CTL, for which 
the algorithm has been proved complete. For these formulas, we show that AMR is upper 
bounded by a polynomial expression in the state space size and the number of may-transitions 
of the abstract KMTS, and depends also on the length of the mr-CTL formula. 

For CTL formulas with nested path quantihers and/or conjunction, AMR is looking for 
a repaired model satisfying all conjunctives (constraints), which increases the worst-case 
execution time exponentially to the state space size of the abstract KMTS. In general, as 
shown in [10] , the complexity of all model repair algorithms gets worse when raising the level 
of their completeness, but AMR has the advantage of working exclusively over an abstract 
model with a reduced state space compared to its concrete counterpart. 

Our complexity analysis for mr-CTL is based on the following results. For an abstract 
KMTS M = {S,So, Rmust, Rmay, L) and a mr-CTL property (p, (i) 3-valued CTL model 
checking is performed in 0 {\(p\ ■ (|5| -|- \Rmay\)) |3l], (ii) Depth First Search (DFS) of 
states reachable from s G 5 is performed in 0(|5| -|- \Rmay\) in the worst case or in 
0(|S| -|- \Rmust\) when only must-transitions are accessed, (hi) finding a maximal path from 
s G S using Breadth First Search (BFS) is performed in Od^l + \Rmay\) for may-paths and 
in 0(|5| -|- \Rmust\) for must-paths. 

We analyze the computational cost for each of the AMR’s primitive functions: 

• ii (p = p G AP, AbstractRepair atom ic is called and the operation ChangeLabel is 
applied, which is in 0(1). 



34 


G. CHATZIELEFTHERIOU, B. BONAKDARPOUR, P. KATSAROS, AND S. A. SMOLKA 


• if (/) = EXcJ)!, then Abstract Repair ex is called and the applied operations with the highest 
cost are: (1) finding a state satisfying ^i, which depends on the cost of 3-valued CTL 
model checking and is in 0 (| 5 | • \(l)i\ ■ (liSI -|- \Rmay\))-, (2) finding a must-reachable state, 
which is in 0 (| 5 | -|- \Rmust\)- These operations are called at most once and the overall 
complexity for this primitive functions is therefore in Od^l • |(?!)i| • {\S\ + \Rmay\))- 

• ii (f) = AX(j)i, then Abstract Repair ax is called and the most costly operations are: (1) 

finding a may-reachable state, which is in 0(|5| -|- \Rmay\)-, and (2) checking if a state 
satisfies ijii, which is in O(|0i| • (|5| -|- \Rmay\))- These operations are called at most l^l 
times and the overall bound class is 0(|.S| • • (|5| -|- \Rmay\))- 

• if (/) = EF(f>i, Ab str act Repair ef is called and the operations with the highest cost are: 

(1) finding a must-reachable state, which is in 0(|5| -|- \Rmust\), (2) checking if a state 
satisfies (/>i with its bound class being 0{\(t)i\ ■ (|5| -|- \Rmay\)) and (3) finding a state that 
satisfies (l)i, which is in 0(|5| • |(^i| • (|5| -|- \Rmay\))- These three operations are called at 
most \S\ times and consequently, the overall bound class is 0(|<Sp • • (|.S| + \Rmay\))- 

• if (/) = AFcpi, AbstractRepairAF is called and the most costly operation is: finding a 
maximal may-path violating (/)i in all states, which is in 0(|5| • |(/>i| • (|5| -|- \Rmay\)- 
This operation is called at most liSI times and therefore, the overall bound class is 
0(|5|2.|<^i|.(|5| + |i?^,j,|)). 

In the same way, it is easy to show that: (i) if (^ = EGcpi, then Abstract Repair eg is in 0(|>S'| • 
|(/)i|-(|5|-f (ii) if (/> = AG(j)i, then Abstr act Repair ag is in 0(|5|-|<?iiK|*S| + |-Rmay|)), 

(hi) if (/) = E{(f>iU(j) 2 ), then the bound class of Abstr act Repair eu is OdS"! ■\4>i\-{\S\ + \Rmust\), 
(iv) A (j) = A{4 >iU4>2) then Abstr act Repair au is in 0(15^ • |i?!)i| • d5| -|- \Rmay\))- 

For a mr-CTL property (j), the main body of the algorithm is called at most \(p\ times 
and the overall bound class of the AMR algorithm is Od^P • ■ d.S| -|- \Rmay\))- 


6.4. Application. We present the application of AbstractRepair on the ADO system from 
Section After the first two steps of our repair process, AbstractRepair is called for 
the KMTS otnefinediAI) that is shown in Fig. 3b, the state sqi and the CTL property 
(/. = AGEXq. 

AbstractRepair calls AbstractRepair ag with arguments ajiefined{M), sqi and AGEXq. 
The AbstractRepair ag algorithm at line 10 triggers a recursive call of AbstractRepair with 
the same arguments. Eventually, AbstractRepair ex is called with arguments aRefined{M), 
soi and EXq, that in turn calls AddMust at line 3, thus adding a must-transition from sqi 
to si. AbstractRepair terminates by returning a KMTS M' that satisfies (j) = AGEXq. The 
repaired KS M' is the single element in the set of KSs derived by the concretization of M' 
(cf. Def. 5.3). The execution steps of AbstractRepair and the obtained repaired KMTS and 
KS are shown in Fig. 13a and Fig. 13b respectively. 

Although the ADO is not a system with a large state space, it is shown that the repair 
process is accelerated by the proposed use of abstraction. If on the other hand model repair 
was applied directly to the concrete model, new transitions would have have been inserted 
from all the states labeled with -lopen to the one labeled with open. In the ADO, we have 
seven such states, but in a system with a large state space this number can be significantly 
higher. The repair of such a model without the use of abstraction would be impractical. 
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(a) Application of AbstractRepair. 



(b) The repaired KMTS and KS. 


Figure 13. Repair of ADO system using abstraction. 


7. Experimental Results: The Andrew File System 1 (AFSl) Protocol 

In this section, we provide experimental results for the relative performance of a prototype 
implementation of our AMR algorithm in comparison with a prototype implementation of a 
concrete model repair solution m- The results serve as a proof of concept for the use of 
abstraction in model repair and demonstrate the practical utility of our approach. 

As a model we use a KS for the Andrew File System Protocol 1 (AFSl) [5l|, which 
has been repaired for a specific property in [55]. AFSl is a client-server cache coherence 
protocol for a distributed file system. Four values are used for the client’s belief about a file 
(nofile, valid, invalid, suspect) and three values for the server’s belief (valid, invalid, none). 

A property which is not satisfied in the AFSl protocol in the form of CTL is: 

AG {{Server.belief = valid) -A {Client.belief = valid)) 
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(a) The KS after the final refinement step. 



(b) The refined KMTS. 

Figure 14. The KS and the KMTS of the AFSl protocol after the 2nd 
rehnement step. 







































ABSTRACT MODEL REPAIR 


37 



(a) The repaired KMTS. 



(b) The repaired KS. 


Figure 15. The repaired KMTS and KS of the AFSl protocol. 
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Models 

Concrete 

States 

Concr. Re¬ 
pair (Time 
in sec.) 

AMR (Time 
in sec.) 

Improvement 

(%) 

AFSl 

26 

17.4 

0.14 

124 

AF Sl{Extensionl) 

30 

24.9 

0.14 

178 

AF Sl{Extension2) 

34 

35.0 

0.14 

250 

AFSl {Extensions) 

38 

117.0 

0.14 

836 


Table 1. Experimental results of AMR with respect to concrete repair 


We define the atomic proposition p as Server.belief = valid and q as Client.belief = 
valid, and the property is thus written as AG{p —)■ q). The KS for the AFSl protocol is 
depicted in Fig. 14a State colors show how they are abstracted in the KMTS of Fig. 14b 


which is derived after the 2nd refinement step of our AMR framework (Fig. |^. The 
shown KMTS and the CTL property of interest are given as input in our prototype AMR 
implementation. 

To obtain larger models of AFSl we have extended the original model by adding one 
more possible value for three model variables. Three new models are obtained with gradually 
increasing size of state space. 

The results of our experiments are presented in Table The time needed for the AMR 
prototype to repair the original AFSl model and its extensions is from 124 to even 836 times 
less than the needed time for concrete model repair. The repaired KMTS and KS for the 
original AFSl model are shown in Fig. 

An interesting observation from the application of the AMR algorithm on the repair of 
the AFSl KS is that the distance d (cf. Def. 4.1) of the repaired KS from the original KS 
is less than the corresponding distance obtained from the concrete model repair algorithm 
in [55]. This result demonstrates in practice the effect of the minimality of changes ordering, 
on which the AMR algorithm is based on (cf. Fig. 12). 


8. Related Work 

To the best of our knowledge this is the first work that suggests the use of abstraction as a 
means to counter the state space explosion in search of a Model Repair solution. However, 
abstraction and in particular abstract interpretation has been used in program synthesis [50] . 
a different but related problem to the Model Repair. Program synthesis refers to the 
automatic generation of a program based on a given specification. Another related problem 
where abstraction has been used is that of trigger querying |3|: given a system M and a 
formula 4>, find the set of scenarios that trigger (p in M. 

The related work in the area of program repair do not consider KSs as the program model. 
In this context, abstraction has been previously used in the repair of data structures |43) . 
The problem of repairing a Boolean program has been formulated in |48[ HU] [341 |5l] as the 
finding of a winning strategy for a game between two players. The only exception is the 
work reported in |45| . 

Another line of research on program repair treats the repair as a search problem and 
applies innovative evolutionary algorithms |3], behavioral programming techniques m or 
other informal heuristics [SSIEIESI- 
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Focusing exclusively on the area of Model Repair without the use of abstraction, it is 
worth to mention the following approaches. The first work on Model Repair with respect to 
CTL formulas was presented in [2]. The authors used only the removal of transitions and 
showed that the problem is NP-complete. Another interesting early attempt to introduce 
the Model Repair problem for CTL properties is the work in [12]. The authors are based on 
the AI techniques of abductive reasoning and theory revision and propose a repair algorithm 
with relatively high computational cost. A formal algorithm for Model Repair in the context 
of KSs and CTL is presented in |55] . The authors admit that their repair process strongly 
depends on the model’s size and they do not attempt to provide a solution for handling 
conjunctive CTL formulas. 

In [Hj, the authors try to render model repair applicable to large KSs by using “table 
systems”, a concise representation of KSs that is implemented in the NuSMV model checker. 
A limitation of their approach is that table systems cannot represent all possible KSs. In [56], 
tree-like local model updates are introduced with the aim of making the repair process 
applicable to large-scale domains. However, the proposed approach is only applicable to the 
universal fragment of the CTL. 

A number of works attempt to ensure completeness for increasingly larger fragments 
of the CTL by introducing ways of handling the constraints associated with conjunctive 
formulas. In [JT], the authors propose the use of constraint automata for ACTL formulas, 
while in m the authors introduce the use of protected models for an extension of the CTL. 
Both of the two methods are not directly applicable to formulas of the full CTL. 

The Model Repair problem has been also addressed in many other contexts. In m, 
the author uses a distributed algorithm and the processing power of computing clusters to 
fight the time and space complexity of the repair process. In [^, an extension of the Model 
Repair problem has been studied for Labeled Transition Systems. In [H], we have provided a 
solution for the Model Repair problem in probabilistic systems. Another recent effort for 
repairing discrete-time probabilistic models has been proposed in [H]. In [7], model repair 
is applied to the fault recovery of component-based models. Finally, a slightly different 
but also related problem is that of Model Revision, which has been studied for UNITY 
properties in BM and for CTL in [36] . Other methods in the area of fault-tolerance include 
the work in |30j . which uses discrete controller synthesis and [29], which employs SMT 
solving. Another interesting work in this direction is in [26], where the authors present a 
repair algorithm for fault-tolerance in a fully connected topology, with respect to a temporal 
specification. 


9. Conclusions 

In this paper, we have shown how abstraction can be used to cope with the state explosion 
problem in Model Repair. Our model-repair framework is based on Kripke Structures, 
a 3-valued semantics for CTL, and Kripke Modal Transition Systems, and features an 
abstract-model-repair algorithm for KMTSs. We have proved that our AMR algorithm is 
sound for the full CTL and complete for a subset of CTL. We have also proved that our 
AMR algorithm is upper bounded by a polynomial expression in the size of the abstract 
model for a major fragment of CTL. To demonstrate its practical utility, we applied our 
framework to an Automatic Door Opener system and to the Andrew File System 1 protocol. 

As future work, we plan to apply our method to case studies with larger state spaces, 
and investigate how abstract model repair can be used in different contexts and domains. A 
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model repair application of high interest is in the design of fault-tolerant systems. In m, 
the authors present an approach for the repair of a distributed algorithm such that the 
repaired one features fault-tolerance. The input to this model repair problem includes a set 
of uncontrollable transitions such as the faults in the system. The model repair algorithm 
used works on concrete models and it can therefore solve the problem only for a limited 
number of processes. With this respect, we believe that this application could be benefited 
from the use of abstraction in our AMR framework. 

At the level of extending our AMR framework, we aim to search for “better” abstract 
models, in order to either restrict failures due to refinement or ensure completeness for a 
larger fragment of the CTL. We will also investigate different notions of minimality in the 
changes introduced by model repair and the applicability of abstraction-based model repair 
to probabilistic, hybrid and other types of models. 
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